naxsi_core.rules - openwhisk-apigateway - Git at Google

 #/*
 # * Copyright (c) 2012 Adobe Systems Incorporated. All rights reserved.
 # *
 # * Permission is hereby granted, free of charge, to any person obtaining a
 # * copy of this software and associated documentation files (the "Software"),
 # * to deal in the Software without restriction, including without limitation
 # * the rights to use, copy, modify, merge, publish, distribute, sublicense,
 # * and/or sell copies of the Software, and to permit persons to whom the
 # * Software is furnished to do so, subject to the following conditions:
 # *
 # * The above copyright notice and this permission notice shall be included in
 # * all copies or substantial portions of the Software.
 # *
 # * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 # * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 # * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 # * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 # * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 # * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
 # * DEALINGS IN THE SOFTWARE.
 # *
 # */

 ##################################
 ## INTERNAL RULES IDS:1-999     ##
 ##################################
 #@MainRule "msg:weird request, unable to parse" id:1;
 #@MainRule "msg:request too big, stored on disk and not parsed" id:2;
 #@MainRule "msg:invalid hex encoding, null bytes" id:10;
 #@MainRule "msg:unknown content-type" id:11;
 #@MainRule "msg:invalid formatted url" id:12;
 #@MainRule "msg:invalid POST format" id:13;
 #@MainRule "msg:invalid POST boundary" id:14;

 ##################################
 ## SQL Injections IDs:1000-1099 ##
 ##################################
 MainRule "rx:select|union|update|delete|insert|table|from|ascii|hex|unhex|drop" "msg:sql keywords" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
 MainRule "str:\"" "msg:double quote" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
 MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
 ## Hardcore rules
 MainRule "str:/*" "msg:mysql comment (/*)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
 MainRule "str:*/" "msg:mysql comment (*/)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
 MainRule "str:|" "msg:mysql keyword (|)"  "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
 MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
 ## end of hardcore rules
 MainRule "str:--" "msg:mysql comment (--)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
 MainRule "str:;" "msg:; in stuff" "mz:BODY|URL|ARGS" "s:$SQL:4,$XSS:8" id:1008;
 MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS|BODY" "s:$SQL:2" id:1009;
 MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
 MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
 MainRule "str:'" "msg:simple quote" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
 MainRule "str:," "msg:, in stuff" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
 MainRule "str:#" "msg:mysql comment (#)" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;

 ###############################
 ## OBVIOUS RFI IDs:1100-1199 ##
 ###############################
 MainRule "str:http://" "msg:http:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
 MainRule "str:https://" "msg:https:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
 MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
 MainRule "str:php://" "msg:php:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
 MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
 MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
 MainRule "str:data://" "msg:data:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
 MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
 MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
 MainRule "str:file://" "msg:file:// scheme" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;

 #######################################
 ## Directory traversal IDs:1200-1299 ##
 #######################################
 MainRule "str:.." "msg:double dot" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
 MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
 MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
 MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
 MainRule "str:\\" "msg:backslash" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
 #MainRule "str:/" "msg:slash in args" "mz:ARGS|BODY|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;

 ########################################
 ## Cross Site Scripting IDs:1300-1399 ##
 ########################################
 MainRule "str:<" "msg:html open tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
 MainRule "str:>" "msg:html close tag" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
 MainRule "str:[" "msg:[, possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
 MainRule "str:]" "msg:], possible js" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
 MainRule "str:~" "msg:~ character" "mz:BODY|URL|ARGS|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
 MainRule "str:`"  "msg:grave accent !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
 MainRule "rx:%[2|3]."  "msg:double encoding !" "mz:ARGS|URL|BODY|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;

 ####################################
 ## Evading tricks IDs: 1400-1500 ##
 ####################################
 MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
 MainRule "str:%U" "msg: M$ encoding" "mz:ARGS|BODY|URL|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
 MainRule negative "rx:multipart/form-data|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;

 #############################
 ## File uploads: 1500-1600 ##
 #############################
 MainRule "rx:.ph|.asp|.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

 ################################
 ## Known Attacks: Various IDs ##
 ################################
 MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY|HEADERS" "s:$ATTACK:8" id:42000393  ;
	#/*
	# * Copyright (c) 2012 Adobe Systems Incorporated. All rights reserved.
	# *
	# * Permission is hereby granted, free of charge, to any person obtaining a
	# * copy of this software and associated documentation files (the "Software"),
	# * to deal in the Software without restriction, including without limitation
	# * the rights to use, copy, modify, merge, publish, distribute, sublicense,
	# * and/or sell copies of the Software, and to permit persons to whom the
	# * Software is furnished to do so, subject to the following conditions:
	# *
	# * The above copyright notice and this permission notice shall be included in
	# * all copies or substantial portions of the Software.
	# *
	# * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
	# * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
	# * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
	# * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
	# * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
	# * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
	# * DEALINGS IN THE SOFTWARE.
	# *
	# */

	##################################
	## INTERNAL RULES IDS:1-999 ##
	##################################
	#@MainRule "msg:weird request, unable to parse" id:1;
	#@MainRule "msg:request too big, stored on disk and not parsed" id:2;
	#@MainRule "msg:invalid hex encoding, null bytes" id:10;
	#@MainRule "msg:unknown content-type" id:11;
	#@MainRule "msg:invalid formatted url" id:12;
	#@MainRule "msg:invalid POST format" id:13;
	#@MainRule "msg:invalid POST boundary" id:14;

	##################################
	## SQL Injections IDs:1000-1099 ##
	##################################
	MainRule "rx:select\|union\|update\|delete\|insert\|table\|from\|ascii\|hex\|unhex\|drop" "msg:sql keywords" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1000;
	MainRule "str:\"" "msg:double quote" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:8,$XSS:8" id:1001;
	MainRule "str:0x" "msg:0x, possible hex encoding" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:2" id:1002;
	## Hardcore rules
	MainRule "str:/" "msg:mysql comment (/)" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1003;
	MainRule "str:/" "msg:mysql comment (/)" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1004;
	MainRule "str:\|" "msg:mysql keyword (\|)" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1005;
	MainRule "str:&&" "msg:mysql keyword (&&)" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:8" id:1006;
	## end of hardcore rules
	MainRule "str:--" "msg:mysql comment (--)" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1007;
	MainRule "str:;" "msg:; in stuff" "mz:BODY\|URL\|ARGS" "s:$SQL:4,$XSS:8" id:1008;
	MainRule "str:=" "msg:equal in var, probable sql/xss" "mz:ARGS\|BODY" "s:$SQL:2" id:1009;
	MainRule "str:(" "msg:parenthesis, probable sql/xss" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1010;
	MainRule "str:)" "msg:parenthesis, probable sql/xss" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1011;
	MainRule "str:'" "msg:simple quote" "mz:ARGS\|BODY\|URL\|$HEADERS_VAR:Cookie" "s:$SQL:4,$XSS:8" id:1013;
	MainRule "str:," "msg:, in stuff" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1015;
	MainRule "str:#" "msg:mysql comment (#)" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$SQL:4" id:1016;

	###############################
	## OBVIOUS RFI IDs:1100-1199 ##
	###############################
	MainRule "str:http://" "msg:http:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1100;
	MainRule "str:https://" "msg:https:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1101;
	MainRule "str:ftp://" "msg:ftp:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1102;
	MainRule "str:php://" "msg:php:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1103;
	MainRule "str:sftp://" "msg:sftp:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1104;
	MainRule "str:zlib://" "msg:zlib:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1105;
	MainRule "str:data://" "msg:data:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1106;
	MainRule "str:glob://" "msg:glob:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1107;
	MainRule "str:phar://" "msg:phar:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1108;
	MainRule "str:file://" "msg:file:// scheme" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$RFI:8" id:1109;

	#######################################
	## Directory traversal IDs:1200-1299 ##
	#######################################
	MainRule "str:.." "msg:double dot" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1200;
	MainRule "str:/etc/passwd" "msg:obvious probe" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1202;
	MainRule "str:c:\\" "msg:obvious windows path" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1203;
	MainRule "str:cmd.exe" "msg:obvious probe" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1204;
	MainRule "str:\\" "msg:backslash" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:4" id:1205;
	#MainRule "str:/" "msg:slash in args" "mz:ARGS\|BODY\|$HEADERS_VAR:Cookie" "s:$TRAVERSAL:2" id:1206;

	########################################
	## Cross Site Scripting IDs:1300-1399 ##
	########################################
	MainRule "str:<" "msg:html open tag" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1302;
	MainRule "str:>" "msg:html close tag" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1303;
	MainRule "str:[" "msg:[, possible js" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1310;
	MainRule "str:]" "msg:], possible js" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1311;
	MainRule "str:~" "msg:~ character" "mz:BODY\|URL\|ARGS\|$HEADERS_VAR:Cookie" "s:$XSS:4" id:1312;
	MainRule "str:`" "msg:grave accent !" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1314;
	MainRule "rx:%[2\|3]." "msg:double encoding !" "mz:ARGS\|URL\|BODY\|$HEADERS_VAR:Cookie" "s:$XSS:8" id:1315;

	####################################
	## Evading tricks IDs: 1400-1500 ##
	####################################
	MainRule "str:&#" "msg: utf7/8 encoding" "mz:ARGS\|BODY\|URL\|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1400;
	MainRule "str:%U" "msg: M$ encoding" "mz:ARGS\|BODY\|URL\|$HEADERS_VAR:Cookie" "s:$EVADE:4" id:1401;
	MainRule negative "rx:multipart/form-data\|application/x-www-form-urlencoded" "msg:Content is neither mulipart/x-www-form.." "mz:$HEADERS_VAR:Content-type" "s:$EVADE:4" id:1402;

	#############################
	## File uploads: 1500-1600 ##
	#############################
	MainRule "rx:.ph\|.asp\|.ht" "msg:asp/php file upload!" "mz:FILE_EXT" "s:$UPLOAD:8" id:1500;

	################################
	## Known Attacks: Various IDs ##
	################################
	MainRule "str:() {" "msg:Possible Remote code execution through Bash CVE-2014-6271" "mz:BODY\|HEADERS" "s:$ATTACK:8" id:42000393 ;